HP-UX Reference (11i v1 00/12) - 1M System Administration Commands N-Z (vol 4)
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man1m/naaagt.1m
________________________________________________________________
___ ___
n
nisaddcred(1M) nisaddcred(1M)
NAME
nisaddcred - create NIS+ credentials
SYNOPSIS
nisaddcred [ -p principal ][-P nis_principal ][-l login_password ] auth_type
[ domain_name ]
nisaddcred -r [ nis_principal ][domain_name ]
DESCRIPTION
The nisaddcred command is used to create security credentials for NIS+ principals. NIS+ credentials
serve two purposes. The first is to provide authentication information to various services; the second is to
map the authentication service name into an NIS+ principal name.
When the nisaddcred command is run, these credentials get created and stored in a table named
cred.org_dir in the default NIS+ domain. If domain_name is specified, the entries are stored in the
cred.org_dir of the specified domain. Note that the credentials of normal users must be stored in the
same domain as their passwords.
It is simpler to add credentials using nisclient(1M) because it obtains the required information itself.
nispopulate(1M) can also be used to add credentials for entries in the
hosts and the passwd NIS+
tables.
NIS+ principal names are used in specifying clients that have access rights to NIS+ objects. For more
details, refer to the "Principal Names" subsection of the nis+(1) manual page. See nischmod(1),
nischown(1), nis_objects(3N), and nis_groups(3N). Various other services can also implement access control
based on these principal names.
The
cred.org_dir table is organized as follows :
cname auth_type auth_name public_data private_data
fred.foo.com. LOCAL 2990 10,102,44
fred.foo.com. DES unix.2990@foo.com 098...819 3b8...ab2
The cname column contains a canonical representation of the NIS+ principal name. By convention, this
name is the login name of a user or the host name of a machine, followed by a dot (‘‘.’’), followed by the fully
qualified ‘‘home’’ domain of that principal. For users, the home domain is defined to be the domain where
their DES credentials are kept. For hosts, their home domain is defined to be the domain name returned
by the domainname(1) command executed on that host.
There are two types of auth_type entries in the cred.org_dir table: those with authentication type
LOCAL and those with authentication type DES. auth_type, specified on the command line in upper or
lower case, should be either local or des.
Entries of type LOCAL are used by the NIS+ service to determine the correspondence between fully
qualified NIS+ principal names and users identified by UIDs in the domain containing the
cred.org_dir table. This correspondence is required when associating requests made using the
AUTH_SYS RPC authentication flavor (see rpc_clnt_auth(3N)) to an NIS+ principal name. It is also
required for mapping a UID in one domain to its fully qualified NIS+ principal name whose home domain
may be elsewhere. The principal’s credentials for any authentication flavor may then be sought for within
the cred.org_dir table in the principal’s home domain (extracted from the principal name). The same
NIS+ principal may have LOCAL credential entries in more than one domain. Only users, and not
machines, have LOCAL credentials. In their home domain, users of NIS+ should have both types of
credentials.
The auth_name associated with the LOCAL type entry is a UID that is valid for the principal in the domain
containing the cred.org_dir table. This may differ from that in the principal’s home domain. The
public information stored in public_data for this type contains a list of GIDs for groups in which the user is
a member. The GIDs also apply to the domain in which the table resides. There is no private data associ-
ated with this type. Neither a UID nor a principal name should appear more than once among the LOCAL
entries in any one cred.org_dir table.
The DES auth_type is used for Secure RPC authentication (see secure_rpc(3N)).
The authentication name associated with the DES auth_type is a Secure RPC netname. A Secure RPC net-
name has the form unix.id@domain, where domain must be the same as the domain of the principal.
For principals that are users, the id must be the UID of the principal in the principal’s home domain. For
principals that are hosts, the id is the host’s name. In Secure RPC, processes running under effective UID
HP-UX Release 11i: December 2000 − 1 − Section 1M−−577
___
___